FortiOS XSS vulns via User Groups & Config Revision Comments Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-17-127 Final 1 1 2017-06-15T00:00:00 Current version 2017-06-15T00:00:00 2017-06-15T00:00:00 Two XSS vulnerabilities were reported to us affecting FortiOS that can be exploited to load and run a remote (malicious) Javascript in a logged in browser.The vulnerable input fields are * the "Comments" input while saving Configuration Revisions (CVE-2017-7734)the "Groups" input while creating or editing User Groups (CVE-2017-7735) Execute unauthorized code or commands CVE-2017-7734: FortiOS versions 5.4.0 to 5.4.4CVE-2017-7735: FortiOS versions 5.2.0 to 5.4.4 Upgrade to FortiOS 5.4.5 or 5.6.0 Fortinet is pleased to thank Walmart's ISD Enterprise Security Testing (EST) Team for reporting this vulnerability under responsible disclosure. CVE-2017-7734 CVE-2017-7735 4.2 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-17-127 FortiOS XSS vulns via User Groups & Config Revision Comments Reference>